diff --git a/application/utils.inc.php b/application/utils.inc.php
index 2cf915aa22..e6f2311203 100644
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -2048,4 +2048,33 @@ class utils
 	{
 		return ITOP_REVISION  === 'svn';
 	}
+
+	/**
+	 * @param string $sPath for example '/var/www/html/itop/data/backups/manual/itop_27-2019-10-03_15_35.tar.gz'
+	 * @param string $sBasePath for example '/var/www/html/itop/data/'
+	 *
+	 * @return bool false if path :
+	 *      * invalid
+	 *      * not allowed
+	 *      * not contained in base path
+	 *    Otherwise return the real path (see realpath())
+	 *
+	 * @since 2.6.5 2.7.0 N°2538
+	 */
+	final public static function RealPath($sPath, $sBasePath)
+	{
+		$sFileRealPath = realpath($sPath);
+		if ($sFileRealPath === false)
+		{
+			return false;
+		}
+
+		$sRealBasePath = realpath($sBasePath); // avoid problems when having '/' on Windows for example
+		if (!self::StartsWith($sFileRealPath, $sRealBasePath))
+		{
+			return false;
+		}
+
+		return $sFileRealPath;
+	}
 }
diff --git a/datamodels/2.x/itop-backup/ajax.backup.php b/datamodels/2.x/itop-backup/ajax.backup.php
index 7a28abfe57..b81e720d4e 100644
--- a/datamodels/2.x/itop-backup/ajax.backup.php
+++ b/datamodels/2.x/itop-backup/ajax.backup.php
@@ -141,11 +141,14 @@ JS
 			}
 
 			$sToken = utils::ReadParam('token', '', false, 'raw_data');
-			$sTokenFile = APPROOT.'/data/restore.'.$sToken.'.tok';
-			if (!is_file($sTokenFile))
+			$sBasePath = APPROOT.'/data/';
+			$sTokenFile = $sBasePath.'restore.'.$sToken.'.tok';
+			$tokenRealPath = utils::RealPath($sTokenFile, $sBasePath);
+			if (($tokenRealPath === false) || (!is_file($tokenRealPath)))
 			{
 				IssueLog::Error("ajax.backup.php operation=$sOperation ERROR = inexisting token $sToken");
-				DisplayErrorAndDie($oPage, "<p>Error: missing token file: '$sTokenFile'</p>");
+				$sEscapedToken = utils::HtmlEntities($sToken);
+				DisplayErrorAndDie($oPage, "<p>Error: missing token file: '$sEscapedToken'</p>");
 			}
 
 			$sEnvironment = utils::ReadParam('environment', 'production', false, 'raw_data');
@@ -158,8 +161,8 @@ JS
 				set_time_limit(0);
 
 				// Get the file and destroy the token (single usage)
-				$sFile = file_get_contents($sTokenFile);
-				unlink($sTokenFile);
+				$sFile = file_get_contents($tokenRealPath);
+				unlink($tokenRealPath);
 
 				// Loading config file : we don't have the MetaModel but we have the current env !
 				$sConfigFilePath = utils::GetConfigFilePath($sEnvironment);